Password Constraint Enforcement Used in External Site Authentication

1. A system, comprising: a processor configured to: monitor encrypted network communications between a client and an external site; process the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and determine whether the request from the client to create user credentials for user authentication on the external site violates a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username, a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials for the user authentication on the external site violates the policy for password constraint enforcement comprises to: determine whether the user credentials of the external site match other user credentials for user authentication on another external site, the other user credentials including a username, a password, or a combination thereof; and in the event that the user credentials of the external site match the other user credentials for user authentication on the other external site, determine that the request violates the policy for password constraint enforcement; and a memory coupled to the processor and configured to provide the processor with instructions.

2. The system recited in claim 1 , wherein: the policy further includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use a user's enterprise password on external sites, or a combination thereof; and the policy includes a username constraint, a password constraint, or both a username constraint and a password constraint.

3. The system recited in claim 1 , wherein the request relates to creating a new user account on the external site, the request including a new password associated with the new user account.

4. The system recited in claim 1 , wherein the processor is further configured to: perform an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.

5. The system recited in claim 1 , wherein the processor is further configured to: intercept a request to establish an encrypted session from the client to the external site; and send a request to establish the encrypted session on behalf of the client to the external site.

6. The system recited in claim 1 , wherein the system is a firewall device, and wherein the processor is further configured to: intercept a request to establish an encrypted session from the client to the external site; send a request to establish the encrypted session on behalf of the client to the external site; and send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device.

7. The system recited in claim 1 , wherein the system includes a firewall device, and wherein the processor is further configured to: intercept a request to establish an encrypted session from the client to the external site; send a request to establish the encrypted session on behalf of the client to the external site; send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; and decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site.

8. The system recited in claim 1 , wherein the system includes a firewall device, and wherein the processor is further configured to: intercept a request to establish an encrypted session from the client to the external site; send a request to establish the encrypted session on behalf of the client to the external site; send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site; allow the request to create the tunnel; and monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies that include the policy for password constraint enforcement for user authentication on external sites.

9. The system recited in claim 1 , wherein the system includes a firewall device, and wherein the processor is further configured to: intercept a request to establish an encrypted session from the client to the external site; send a request to establish the encrypted session on behalf of the client to the external site; send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site; allow the request to create the tunnel; monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and block the session traffic if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.

10. The system recited in claim 1 , wherein the system includes a firewall device, and wherein the processor is further configured to: intercept a request to establish an encrypted session from the client to the external site; send a request to establish the encrypted session on behalf of the client to the external site; send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site; allow the request to create the tunnel; monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and generate an alert if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.

11. The system recited in claim 1 , wherein the system includes a firewall device, and wherein the processor is further configured to: intercept a request to establish an encrypted session from the client to the external site; send a request to establish the encrypted session on behalf of the client to the external site; send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site; allow the request to create the tunnel; monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and block the client from accessing the external site if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.

12. The system recited in claim 1 , wherein the system includes a firewall device, and wherein the processor is further configured to: intercept a request to establish an encrypted session from the client to the external site; send a request to establish the encrypted session on behalf of the client to the external site; send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; decrypt encrypted traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site; allow the request to create the tunnel; monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and send a message to the client if a violation of a first firewall policy is determined, wherein the first firewall policy includes the policy for password constraint enforcement for user authentication on external sites.

13. The system recited in claim 1 , wherein the system includes a firewall appliance, wherein the encrypted network communications are encrypted using a first protocol, and wherein the first protocol is a Secure Sockets Layer (SSL) protocol or an HTTPS protocol.

14. The system recited in claim 1 , wherein: the policy further includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use a user's enterprise password on external sites, or a combination thereof; and the password complexity constraints for the internal users include a minimum password character length, use of at least one uppercase alphanumeric character, use of at least one number, use of at least one symbol, or any combination thereof.

15. The system recited in claim 1 , wherein: the policy further includes password complexity constraints for internal users of an enterprise network, password complexity constraints for internal users creating authentication credentials on external sites, a rule not to use a user's enterprise password on external sites, or a combination thereof; and the password complexity constraints for the internal users creating a new user account on the external site include a minimum password character length, use of at least one uppercase alphanumeric character, use of at least one number, use of at least one symbol, or any combination thereof.

16. The system recited in claim 1 , wherein the processor is further configured to: determine that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites; and perform an action in response to determining that that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites, wherein the action includes blocking client access to the external site, logging a vulnerability, discarding the request to create user credentials, sending a message to the client indicating that the request violates the policy for password constraint enforcement for user authentication on external sites, sending a message to the client indicating at least one compliant password option, or any combination thereof.

17. A method, comprising: monitoring encrypted network communications between a client and an external site; processing the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and determining whether the request from the client to create user credentials for user authentication on the external site violates a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username, a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials for the user authentication on the external site violates the policy for password constraint enforcement comprises: determining whether the user credentials of the external site match other user credentials for user authentication on another external site, the other user credentials including a username, a password, or a combination thereof; and in the event that the user credentials of the external site match the other user credentials for user authentication on the other external site, determining that the request violates the policy for password constraint enforcement.

18. The method of claim 17 , further comprising: performing an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.

19. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for: monitoring encrypted network communications between a client and an external site; processing the encrypted network communications between the client and the external site to decrypt the encrypted network communications between the client and the external site and to detect a request from the client to create user credentials for user authentication on the external site; and determining whether the request from the client to create user credentials for user authentication on the external site violates a policy for password constraint enforcement for user authentication on external sites, the user credentials including a username, a password, or a combination thereof, wherein the determining of whether the request from the client to create the user credentials for the user authentication on the external site violates the policy for passsword constraint enforcement comprises: determining whether the user credentials of the external site match other user credentials for user authentication on another external site, the other user credentials including a username, a password, or a combination thereof; and in the event that the user credentials of the external site match the other user credentials for user authentication on the other external site, determining that the request violates the policy for password constraint enforcement.

20. The computer program product recited in claim 19 , further comprising computer instructions for: performing an action in response to determining that the request from the client to create user credentials for user authentication on the external site violates the policy for password constraint enforcement for user authentication on external sites.